[LINK] Consumer Credit-Card Risks

Roger Clarke Roger.Clarke at xamax.com.au
Wed Jan 13 10:11:25 AEDT 2010


I'm continuing to work on the question of contactless cards.  I've 
had a prompt response from Visa, including some useful info.  I've 
not yet had any information from MasterCard or ASIC.

It continues to appear that no risk assessment or risk management 
plan from the consumer's perspective exists, and that at no stage has 
consultation been undertaken with reps of and advocates for the 
consumer interest.


On a related matter ...

[If anyone detects anything materially wrong or misleading in the 
analysis that follows, I'd appreciate a prompt kick in the head, as 
brief as you like, on-list or off-list as appropriate.  Nudge, nudge, 
Steve.]

An article headed 'Security under the microscope' appears in the 
Money Manager segment of the SMH today, and presumably of The Age. 
(If that section is on the Web, it's well-hidden).

The article provides a half-decent examination of the upgrades to 
security that Visa, MasterCard and issuers have been making, 
including contact-based chips and one-time passwords (referred to in 
the article as 'unique transaction codes').

Many of us have been arguing for years that the financial services 
sector has been very lax in not upgrading security.

The figures in the article suggest that, worldwide, 285 million data 
breaches occurred in 2008, 98% involving payment card data.  In 
Australia in FY 08-09, APCA said there were 531,000 fraudulent 
transactions resulting in losses of $180 million.

Those losses are borne almost entirely by merchants.  (Financial 
institutions issue chargebacks to merchants.  So they only bear the 
loss if the merchant has disappeared, e.g. gone bankrupt, before the 
chargeback is issued.  Kiwibank's CEO declared his bank had lost 
$1,000 in 2006-07 I think it was).

But there's also a large volume of undiscovered fraud that is borne 
by consumers who fail to reconcile their accounts, are too lazy to 
pursue mysterious transactions with their financial services 
provider, or fail to sustain their concentration long enough to last 
through their financial institution's processes - which can be 
tortuous and very long-winded.

(In 2009, in order to force NAB to credit me back $70 fraudulently 
charged to my card in northern Slovakia, I had to have knowledge of 
how to read an EFTS terminal data-dump.  'Yer average mug punter' 
would have given up and copped the loss.  A key reason I hung in 
there for a mere $70, and forced a chargeback against the 
fraudster/service-station-operator, was that I'm a consultant, 
researcher and expert witness in relation to such matters, and hence 
could justify the effort involved as research).

Interim conclusion:

The contact-based chip and one-time password initiatives do appear to 
be much more effective security features, and are very much to be 
welcomed.


The SMH article doesn't mention two aspects of serious concern:
-   contactless cards
-   other transactions in which no authentication is undertaken as to
     whether the person presenting the card is authorised to do so.

     Visa tells me that this category is a lot more widespread that
     I'd realised, and has been expanding since about 2004.  Visa tells
     me that I'm a rare bird never to have done one in a car-park, and
     that there are many other merchant-categories with such terminals.

So  ...  my concerns are now much wider than contactless cards, and 
include all of those transaction-types.


Finally, a quote in the article seems very strange to me.

Visa GM Chris Clark is quoted as saying:

"The [contact-based] chip produces *an algorithm* that *authenticates 
the user* once only.  The next time it is used its interaction with 
the terminal generates *a new algorithm*.  That process makes it much 
harder to copy customer details" (emphases added).

Firstly, surely the chip generates a new number, not a new algorithm.

I can understand attempts to simplify complex technology, or 
re-express it in ways consumers will understand (e.g. maybe pilots 
with consumers have shown that they can grasp 'unique transaction 
code' better than 'one-time password').

But is the seemingly incorrect word 'algorithm' really easier for 
consumers than a seemingly more appropriate term such as 'number', 
'code', 'one-time password' or 'unique transaction code'?

Secondly, and much more importantly, the one-time code that's 
generated authenticates *the card* (or, more correctly, *the chip*).

It's materially misleading to say that it "authenticates the user". 
That can only be done through the use of something the person, and 
only that person, 'has, knows, is, or is now'.  Having the card isn't 
enough, because the card can find its way into the hands of an 
unauthorised user.

I'd have been disappointed if a nominally specialist reporter made 
such an error, but I think it's remarkable, and pretty poor, that the 
Visa GM appears to have made the mistake.


-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list